U.S. patent application number 15/119170 was filed with the patent office on 2017-01-12 for method and system for improving the data security during a communication process.
The applicant listed for this patent is CONTINENTAL TEVES AG & CO. OHG. Invention is credited to Henrik Antoni, Torsten Martin, Marc Menzel, Stefan Rommele.
Application Number | 20170012774 15/119170 |
Document ID | / |
Family ID | 52781062 |
Filed Date | 2017-01-12 |
United States Patent
Application |
20170012774 |
Kind Code |
A1 |
Antoni; Henrik ; et
al. |
January 12, 2017 |
METHOD AND SYSTEM FOR IMPROVING THE DATA SECURITY DURING A
COMMUNICATION PROCESS
Abstract
A system for improving the data security during a communication
process, including at least one processor and a hardware security
module. The communication data is authenticated prior to a
transmission process, and the authenticity of the communication
data is checked upon being received. The authentication is carried
out by the processor, and the authentication check is carried out
by the hardware security module, wherein the communication data is
car-to-X messages. The processor and the hardware security module
are linked via a common secret element such that at least the
hardware security module cannot be coupled to another
processor.
Inventors: |
Antoni; Henrik;
(Freigericht, DE) ; Martin; Torsten;
(Steinbach/Taunus, DE) ; Rommele; Stefan;
(Krongberg/Taunus, DE) ; Menzel; Marc; (Welmara
(Lahn), DE) |
|
Applicant: |
Name |
City |
State |
Country |
Type |
CONTINENTAL TEVES AG & CO. OHG |
Frankfurt |
|
DE |
|
|
Family ID: |
52781062 |
Appl. No.: |
15/119170 |
Filed: |
March 25, 2015 |
PCT Filed: |
March 25, 2015 |
PCT NO: |
PCT/EP2015/056413 |
371 Date: |
August 16, 2016 |
Current U.S.
Class: |
1/1 |
Current CPC
Class: |
H04W 4/40 20180201; H04W
12/10 20130101; H04W 4/70 20180201; H04L 9/3234 20130101; H04L
2209/84 20130101; H04L 63/0823 20130101; H04L 9/3252 20130101; H04W
12/06 20130101; H04L 63/0485 20130101; H04L 9/0897 20130101; H04L
63/123 20130101 |
International
Class: |
H04L 9/08 20060101
H04L009/08; H04L 9/32 20060101 H04L009/32; H04W 12/10 20060101
H04W012/10; H04L 29/06 20060101 H04L029/06 |
Foreign Application Data
Date |
Code |
Application Number |
Mar 26, 2014 |
DE |
10 2014 205 593.8 |
Claims
1. A method for improving data security in a communication process,
comprising: encrypting and/or authenticating communication data
before sending; and decrypting and/or checking the authenticity
thereof when received, wherein a processor performs the encryption
and/or the authentication, and a hardware security module performs
the decryption and/or the authenticity check.
2. The method as claimed in claim 1, wherein the communication data
are vehicle-to-X messages.
3. The method as claimed in claim 1, wherein the processor and the
hardware security module each comprise a TRNG or a key generator
module.
4. The method as claimed in claim 1, wherein the processor and the
hardware security module are linked via a shared secret such that
at least the hardware security module cannot be linked to any other
processor.
5. The method as claimed in claim 1, wherein the processor executes
software that performs a secure boot procedure.
6. The method as claimed in claim 1, wherein the processor executes
software that opens debugging interfaces only after successful
authentication of the communication partners.
7. The method as claimed in claim 1, wherein the processor
comprises a special secure RAM, which can be used solely by a
security module assigned to the processor.
8. The method as claimed in claim 1, wherein an AES module of the
processor performs the encryption.
9. The method as claimed in claim 8, wherein a key of the AES
module is stored in security fuses of the processor.
10. A system for improving the data security in a communication
process, comprising: at least a processor and a hardware security
module, wherein the system implements a method comprising:
encrypting and/or authenticating communication data before sending;
and decrypting and/or checking the authenticity thereof when
received, wherein the processor performs the encryption and/or the
authentication, and the hardware security module performs the
decryption and/or the authenticity check.
11. A system for improving the data security in a communication
process, comprising: at least a processor and a hardware security
module, wherein the communication data are authenticated before
sending and when received the authenticity thereof is checked,
wherein the processor performs the authentication, and the hardware
security module performs the authenticity check, the communication
data are vehicle-to-X messages, and the processor and the hardware
security module are linked via a shared secret such that at least
the hardware security module cannot be linked to any other
processor.
12. The system as claimed in claim 11, wherein the processor
executes only software that performs a secure boot procedure.
13. The system as claimed in claim 11, wherein the processor
executes software that opens debugging interfaces only after
successful authentication of the communication partners.
14. The method as claimed in claim 2, wherein the processor and the
hardware security module each comprise a TRNG or a key generator
module.
15. The method as claimed in claim 1, wherein the processor
executes software that performs a hardware-assisted secure boot
procedure.
16. The system as claimed in claim 11, wherein the processor
executes only software that performs a hardware-assisted secure
boot procedure.
17. The system as claimed in claim 12, wherein the processor
executes software that opens debugging interfaces only after
successful authentication of the communication partners.
Description
CROSS REFERENCE TO RELATED APPLICATIONS
[0001] This application is the U.S. National Phase Application of
PCT International Application No. PCT/EP2015/056413, filed Mar. 25,
2015, which claims priority to German Patent Application No. 10
2014 205 593.8, filed Mar. 26, 2014, the contents of such
applications being incorporated by reference herein.
FIELD OF THE INVENTION
[0002] The invention relates to a method and to a system for
improving the data security in a communication process.
BACKGROUND OF THE INVENTION
[0003] Vehicle-to-X communication (or V2X) is known in the prior
art and is currently in the process of standardization, including
with ETSI. Elliptic Curve Cryptography (ECC) is likewise known in
the prior art. Also known is the Elliptic Curve Digital Signature
Algorithm (ECDSA), which constitutes a Federal Information
Processing Standard (FIPS) method for generating and verifying
digital signatures. The use of ECDSA for signing and verifying
vehicle-to-X messages has been standardized by the IEEE, ETSI and
the Car2Car Communication Consortium. Using what are known as
long-term certificates (LTC) and ECU keys for authenticating
vehicle-to-X communication systems in a public key infrastructure
(PKI) has also been standardized by the IEEE, ETSI and the Car2Car
Communication Consortium.
SUMMARY OF THE INVENTION
[0004] An aspect of the invention defines an efficient design for
improving the data security in a communication process, in
particular in the field of vehicle-to-X communication.
[0005] Within the meaning of aspects of the invention, the term
data security refers to security from unauthorized access to the
data or from data misuse. Thus data security is essentially
dependent on encrypting the data or protecting the integrity of the
data. Since the methods described above use secret key data, then
secret storage and usage of the keys is also part of data security.
The terms data security and security are used synonymously within
the meaning of the invention.
[0006] According to one aspect of the invention, a method for
improving the data security in a communication process is provided,
in which method the communication data are signed before sending
and verified when received, wherein a processor performs the
signing and a hardware security module performs the
verification.
[0007] The signing may include or be an authentication. In
addition, the verification may include or be an authenticity
check.
[0008] According to another aspect of the invention, a method for
improving the data security in a communication process is provided,
in which method the communication data are encrypted and/or
authenticated before sending and when received are decrypted and/or
the authenticity thereof is checked, wherein a processor performs
the encryption and/or the authentication, and a hardware security
module performs the decryption and/or the authenticity check.
[0009] The hardware security module is preferably implemented as a
dedicated integrated circuit separate from the processor. The
hardware security module is preferably linked solely to the
processor.
[0010] In an advantageous embodiment, the communication data are
vehicle-to-X messages. Thus the method is preferably used to
improve the data security in transmitting vehicle-to-X messages.
The efficiency for encryption and authentication achieved by the
method is particularly advantageous in a vehicle environment
because, owing to the movement of the driver's vehicle, the
communication structure is more transient than in a static
environment.
[0011] In another advantageous embodiment, the hardware security
module complies with a data security certification standard, in
particular with an EAL4+ standard.
[0012] In another advantageous embodiment the hardware security
module complies with a data security certification standard, in
particular with an EAL4+ security level according to the Common
Criteria standard.
[0013] In another advantageous embodiment, the processor and the
hardware security module each comprise a TRNG or a key generator
module.
[0014] In another advantageous embodiment, the processor and the
hardware security module each comprise a non-deterministic random
number generator (TRNG), which is used for the key generation.
[0015] In another advantageous embodiment, the processor and the
hardware security module are linked via a shared secret such that
at least the hardware security module cannot be linked to any other
processor.
[0016] In another advantageous embodiment, the processor executes
software that performs a secure boot procedure, in particular a
hardware-assisted secure boot procedure.
[0017] In another advantageous embodiment, the processor executes
only software that is loaded in a secure boot procedure, in
particular in a hardware-assisted secure boot procedure.
[0018] In another advantageous embodiment, the processor executes
software that opens interfaces, in particular debugging interfaces,
only after successful authentication of the communication
partners.
[0019] In another advantageous embodiment, the processor executes
software that performs resource protection procedures, in
particular for RAM, ROM and CPU load.
[0020] In another advantageous embodiment, the software is an
operating system.
[0021] In another advantageous embodiment, the processor executes
basic software that performs resource protection procedures, in
particular for RAM, ROM and CPU load.
[0022] In another advantageous embodiment, the basic software is an
operating system.
[0023] In another advantageous embodiment, the processor comprises
a special secure RAM, which can be used solely by a security module
assigned to the processor.
[0024] In another advantageous embodiment, an AES module of the
processor performs the encryption.
[0025] In another advantageous embodiment, encrypted data, in
particular AES256-encrypted data, are stored in a non-volatile
memory of the processor.
[0026] In another advantageous embodiment, the AES module is
connected to a DMA.
[0027] In another advantageous embodiment, the security module
assigned to the processor generates pseudonyms for the purpose of
authenticating the communication data.
[0028] In another advantageous embodiment, the security module
assigned to the processor generates the key pairs, in particular
public and private keys, needed for the pseudonyms for the purpose
of authenticating the communication data.
[0029] In another advantageous embodiment, a key of the AES module
is stored in security fuses of the processor.
[0030] In another advantageous embodiment, the security fuses are a
memory area of the processor that is especially protected against
external data accesses.
[0031] In another advantageous embodiment, the pseudonyms are
stored by the processor in encrypted form.
[0032] In another advantageous embodiment, the private pseudonyms
or keys are stored by the processor in encrypted form in a
non-volatile memory, in particular in a flash memory.
[0033] According to another aspect of the invention, a system is
provided for improving the data security in a communication
process, which system comprises at least a processor and a hardware
security module, wherein the system implements the method.
[0034] According to another aspect of the invention, a system is
provided for improving the data security in a communication
process, which system comprises at least a processor and a hardware
security module, and in which system the communication data are
authenticated before sending and when received the authenticity
thereof is checked, wherein the processor performs the
authentication, and the preferably separate hardware security
module performs the authenticity check, wherein the communication
data are vehicle-to-X messages, and wherein the processor and the
hardware security module are linked via a shared secret such that
at least the hardware security module cannot be linked to any other
processor. This achieves the advantage that a computing load on the
processor can be reduced for authenticating received communication
data.
[0035] In an advantageous embodiment, the processor executes only
software that performs a secure boot procedure, in particular a
hardware-assisted secure boot procedure. This achieves the
advantage that a signed, i.e. trustworthy, bootloader can be used
to start an operating system.
[0036] In another advantageous embodiment, the processor executes
software that opens interfaces, in particular debugging interfaces,
only after successful authentication of the communication partners.
This achieves the advantage of being able to provide efficient
access protection for the interfaces.
[0037] In another advantageous embodiment, an AES module of the
processor performs the encryption. This achieves the advantage that
the communication data can be encrypted efficiently.
[0038] In another advantageous embodiment, a key of the AES module
is stored in security fuses of the processor, and the security
fuses are a memory area of the processor that is especially
protected against external data accesses. This achieves the
advantage of being able to provide efficient access protection for
the key of the AES module.
[0039] An example of a system according to an aspect of the
invention consists of a powerful modern host CPU (e.g. ARM Cortex
A) having integrated security functions and of a single external
HSM. The HSM may be EAL4+ certified, for instance, whereas the host
CPU is normally not certified because of its complexity.
[0040] Within the meaning of the invention, the term hardware
security module (HSM) denotes an (internal or external) peripheral
device for efficient and secure execution of cryptographic
operations or applications. By this means it is possible to
guarantee, for example, the trustworthiness and the integrity of
data and the information associated therewith in safety-critical IT
systems. In order to guarantee the required data security, it may
be necessary for the cryptographic keys being used to be protected
both in terms of software and from physical attacks or side channel
attacks.
[0041] Both the CPU and the HSM preferably each comprise a built-in
True Random Number Generator (TRNG), which can be used, and is
used, for key generation.
[0042] Said TRNG is a key generation module, where a key is a
digital data sequence that allows encryption of a data set and/or
verification of the authenticity thereof. If the sender of the
dataset and the recipient of the data set have the same key, the
recipient can thereby decrypt the data record and/or verify the
authenticity thereof.
[0043] The HSM is advantageously locked by the CPU by means of a
shared secret such that it can work only with precisely this CPU.
The shared secret is in this case a particular data sequence and a
form of hard-wired key, the existence of which is checked in the
counterpart station before transmission of the actual data, thus
for example in the CPU and in the HSM. If the CPU or the HSM does
not have the shared secret, the counterpart station declines
communication.
[0044] An operating system (OS) that supports all the mechanisms
and/or functions mentioned preferably runs on the CPU, so that an
example system according to the invention can be CC-certified. The
mechanisms and/or functions required for this purpose are e.g.
hardware-assisted secure boot, opening the debugging interfaces
only after authentication of the communication partners, resource
protection for RAM, ROM and CPU load. Other suitable mechanisms
and/or functions known to a person skilled in the art can also be
provided.
[0045] The CPU is preferably assigned a special secure RAM, which
can be used only by the assigned security module.
[0046] Data, preferably encrypted in accordance with AES256, are
stored in the non-volatile memory of the CPU. In this case, the
encryption is performed e.g. automatically by using an Advanced
Encryption Standard (AES) module, which is incorporated in the
Direct Memory Access (DMA) transfer.
[0047] The AES key is preferably stored inaccessibly in security
fuses.
[0048] The HSM module is preferably protected against side channel
attacks.
[0049] The HSM preferably additionally contains an ECC accelerator,
which in a first configuration level is designed particularly
preferably such that it can handle 20 verifications and/or signings
per second. According to a second configuration level, the ECC
accelerator is designed particularly preferably such that it can
handle up to 400 verifications and/or signings per second.
[0050] According to one embodiment, the ECC and ECDSA can be
implemented in hardware or software. According to another
embodiment, hardware security modules (HSM) can be used for secure
i.e. secure from unauthorized access, storage and use of
cryptographic materials (e.g. what are known as keys or private
keys).
BRIEF DESCRIPTION OF THE DRAWINGS
[0051] Further preferred embodiments are given in the dependent
claims and in the following description of an exemplary embodiment
with reference to FIGURES, in which:
DETAILED DESCRIPTION OF THE PREFERRED EMBODIMENTS
[0052] FIG. 1 shows an example use of a security infrastructure
according to the invention and of a possible system according to
the invention in the form of function blocks and hardware
blocks.
[0053] FIG. 1 shows an example use of a security infrastructure
according to the invention and of a possible system according to
the invention in the form of function blocks and hardware blocks.
The system comprises a processor 4, which is formed by a CPU, and a
hardware security module 3, which is separate from said
processor.
[0054] The system for improving the data security in a
communication process can comprise the processor 4 and hardware
security model (HSM) 3, in which system the communication data is
authenticated before sending and when received the authenticity
thereof is checked, wherein the processor 4 performs the
authentication, and the hardware security module 3 performs the
authenticity check, wherein the communication data are vehicle-to-X
messages, and wherein the processor 4 and the hardware security
module 3 are linked via a shared secret such that at least the
hardware security module 3 cannot be linked to any other
processor.
[0055] A Private Key for an ECU, which is referred to as the ECU
key 2, and a long-term certificate, which is referred to as the LTC
1, for example are generated and stored in HSM 3 and also used only
there, which means that the corresponding private keys (ECU key 2
and LTC 1) never leave HSM 3 and that HSM 3 itself cannot be
misused by removal from the associated hardware circuit board, e.g.
by soldering, because it is linked to CPU 4. Security module 5 of
CPU 4 generates and stores in encrypted form pseudonyms. In
addition, all message signings are performed in CPU 4, because
there a signing takes only about 2 ms, which for the required
end-to-end latencies of <100 ms is far more advantageous than
using HSM 3, which needs about 50 ms for this operation. Using
non-volatile memory 6 of CPU 4 for the instruction counter storage,
also known as program counter storage (PC), has the advantage that
program counts of 3000 or even more are thereby easily and
economically possible. Alternatively, the non-volatile memory 6 of
CPU 4 can be used for security-relevant data such as pseudonyms,
which has the advantage that several thousand pseudonyms or other
security certificates can thereby be stored easily and
economically.
[0056] Verification of incoming messages is performed for all
messages to be forwarded (known as multihop messages) (max. 10/s).
In addition, "on demand" verification is performed (max. 5/s), or
all incoming messages are Verified if there is enough computing
power available for this.
[0057] The messages are hashed in CPU 4, and the hash and the
public key of the attached PC transmitted to HSM 3, where the ECC
operation is performed. This manages to remove a significant load
from CPU 4, as a result of which it is possible to dispense with a
multicore CPU here, for example. The ECC operation is evaluated in
CPU 4.
[0058] According to one embodiment, the messages to be verified are
hashed in CPU 4 using a secure hash function, in particular using
SHA256 for ECDSA256, and the hash and the public key of the
attached pseudonym (PC) transmitted to HSM 3, where the ECC
operation is performed. This manages to remove a significant load
from CPU 4, as a result of which it is possible to dispense with a
multicore CPU here, for example. The ECC operation is evaluated in
CPU 4.
[0059] CPU 4, for example, is an iMX6solo processor from the
Freescale company. An ATECC108 chip from the Atmel company is used
for HSM 3, for example. PikeOS from the Sysgo company, for example,
is used as the operating system on CPU 4.
[0060] In addition, the system shown by way of example comprises
RAM 7, flash memory 8, DMA 9, logic module 10, combined ECC, SMA,
AES, TRNG and ID module 11.
LIST OF REFERENCES
[0061] 1 LTC [0062] 2 ECC key [0063] 3 hardware security module,
HSM [0064] 4 processor, CPU [0065] 5 security module [0066] 6
memory [0067] 7 RAM [0068] 8 flash memory [0069] 9 DMA [0070] 10
logic module [0071] 11 combined ECC, SMA, AES, TRNG and ID
module
* * * * *